Data Protection

On April 27, 2016, the European Parliament and the Council of the European Union approved Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and the free movement of such data. data (hereinafter RGPD – General Data Protection Regulation) and repealing Directive 95/46 / EC.

It established a new legal framework for the processing and circulation of personal data applicable to all European Union countries, with the aim of ensuring uniform application in all Member States and raising the level of data protection of the Member States. physical persons.

Although it entered into force on May 25, 2016, its implementation start was established on May 25, 2018, that is, giving two years for the States of the European Union, its Institutions and organizations, responsible and in charge of Data processing of a personal nature could be prepared and adapted to the new legal framework. This means that from May 25, 2018 all must be giving correct compliance to the RGPD.

This Regulation is of direct application, so it has not been necessary to transpose the regulation, which means that in Spain, at the date of entry into application of the RGPD, the currently valid Organic Law 15/1999 on the Protection of data and its Royal Decree 1720/2007 for the development of the Law.

The new regulation incorporates the principle of proactive liability, so that companies must apply all means and measures of safety in accordance with the identified risks and be at all times able to prove that the treatment is in accordance with the regulations 

The breach of the RGPD contemplates sanctions and fines that can reach amounts of up to 20 million euros or 4% of the volume of business of the previous year.

 

What are the relevant changes that may affect you?

The Regulation obliges those who perform certain treatments, to appoint a DPO, which may be external or internal. A DPO must be an expert in Data Protection and information security methods and techniques and can be a natural or legal person. The designation of the DPO must be communicated to the AEPD. Those who are not obligated, can designate a DPO on a voluntary basis.
Special categories of data are expanded, such as biometric, genetic data, political opinions and sexual orientation.
Keeping a Record of treatment activities both as Responsible and in those cases in which we act as Managers of treatment and must be available both to data protection authorities and interested parties.
The Principle of data protection is introduced from the design and by default, that is, from the initial phases in the development of a service, application, etc …
Carrying out a risk analysis in order to identify the risks to which the data processed are subject.
The list of rights is extended, going from those known as ARCO rights to POLIARSO rights (Portability, Opposition, Treatment limitation, Information, Access, Rectification, Deletion / right to oblivion and Opposition to be the subject of automated individual decisions)
The RGPD does not differentiate between personal data and ‘professional’ data (contact data of individuals who provide their services in a legal person and individual entrepreneurs) as established by the current Regulation, which will force companies to have to take information actions to this category of data.
The minimum content of the data access contracts is extended by third parties, so contracts must be established again with those in charge of processing, since the current ones do not comply with the RGPD.
The information obligations are extended to those affected, which will require updating those already existing in that information.
The tacit consent (by silence) is eliminated, which will oblige the companies to obtain a new consent to be able to keep all the data that in the past were obtained tacitly or to seek other legal coverage.
Violations of the security of personal data. Obligation to communicate them within 72 hours to the Spanish Agency for Data Protection, and in serious cases, to those affected.
Requirement to carry out an impact evaluation regarding data protection for certain treatments. The AEPD will publish a list of the types of treatment operations to which it will be required